I am migrating from Joomla 1.5 to WordPress and my client does not want users to have to re-register. So I am writing a WordPress plugin to match a user's password with what's in the jos_users table and then update their info in WordPress accordingly.
Everything I have read so far for Joomla's password authentication points me to the getCryptedPassword function:
http://docs.joomla.org/API15:JUserHelper/getCryptedPassword
My plugin is encrypting what the user enters the same way:
$db_password = explode(':', $query); //what's in the password field of jos_users
$salt = $db_password[1];
$string_to_be_hashed = $user_entered_pass . $salt;
$test_pass = md5($string_to_be_hashed);
$test_pass = $test_pass . ":" . $salt;
if($test_pass = query){echo "success"}
I have tested 3 accounts using this...but only 2 are authenticating.
Specifically: md5($password$salt):$salt != database password value
In the database, the password value for the account it is not working for appears to have used the same encryption and in the same format ([md5hash]:salt). I know the password is correct because I can login into the client's site with it.
In addition, I ran a search on the entire Joomla codebase for the getCryptedPassword function. In all cases, no explicit encryption method is sent - both the code and the documentation indicate that md5 is used by default.
Can anyone think of any places I should look for alternative encryption possibilities?
I have no idea where else to look or why this particular user account appears to be encrypting differently.
In Joomla Standards The encryption handles like as follow.
jimport('joomla.user.helper');
$salt = JUserHelper::genRandomPassword(32);
$crypt = JUserHelper::getCryptedPassword($password_choose, $salt);
$password = $crypt.':'.$salt;
You can run the compare thing in a separate file by loading entire joomla framework to a single file in root.
define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );//this is when we are in the root
define( 'DS', DIRECTORY_SEPARATOR );
require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );
$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();
Also you cannot decrypt the Joomla password.If you know the password (original text) Then try with wordpress password fromat .
Hope this may helps..
Related
I was doing a typo3 upgrade from version 7 to 10. But got stuck with the fe users login section. Read in the documentation as salted passwords will automatically gets converted to argon2i hash values. This works for be users correctly. I have got a custom extension, where I will check whether the plaun text password is same as that of the password hash value in the database. My code is
if ($settings['feUserPid'] == $user['pid']) {
$mode = 'FE';
$success = GeneralUtility::makeInstance(PasswordHashFactory::class)
->getDefaultHashInstance($mode)
->checkPassword($request->getArgument('password'), $user['password']);
}
Even if the password is correct, the value of $success is always FALSE. The passwords in the database is not argon2i hash value.
How can I fix this problem? Has anyone faced an issue like this?
It's a while ago for me but I used
$hashInstance = GeneralUtility::makeInstance(PasswordHashFactory::class)->getDefaultHashInstance('FE');
$hashedPassword = $hashInstance->getHashedPassword($x);
Your method should work. Did you verify the setting of [FE][passwordHashing][className] in the installtool?
Scenario:
1) login.php verifies the username and password and sets a session with the user id
$_SESSION['id'] = $id;
2) datatables / jquery calls an action.php file to fill the table with data
"ajax":{
url:"action.php",
type:"POST",
data:{action:'listTable'},
dataType:"json"
},
3) the action.php file calls the function listTable()
include('table.php');
$table = new table();
$table->listTable();
4) the listTable function (table.php) returns the whole data which is landing in the datatable
$output = array(
"draw" => intval($_POST["draw"]),
"recordsTotal" => $numRows,
"recordsFiltered" => $numRows,
"data" => $tableData
);
echo json_encode($output);
5) the data was selected with a sql command and was put into the tableData variable
Everything works fine in that case.
Ideas:
I wanted to acccess the session variable within the sql select command. This is not possible, because of the jquery / action.php api. Those are complete different files and have no access to that session. It is possible to set the user id within a hidden formular field, but this is not secure and easy to manipulate. A cookie file is also user editable. Furthermore Javascript cannot read server side session variables.
Question:
How can i use / access that php session variable in that scenario?
Update:
Thats not working too :/
overview.php
$userID = $_SESSION['id'];
data.js
"ajax":{
url:"action.php",
type:"POST",
data:{userID:userID, action:'listTable'},
dataType:"json"
},
table.php
$userID = $_POST["userID"];
I really don't understand here the problem, because of $_SESSION variable is available across the php files even if an ajax calls the php file. Until you call the AJAX call from the same browser and the ajax call includes the cookies (one of the cookie will be the session ID) then you will be able to reach your user ID in the SQL query on the PHP side, without passing to javascript/jquery your user's ID.
As you wrote in login.php:
$_SESSION['id'] = $id;
In your table.php where the SQL command is living:
echo isset($_SESSION['id']) ? "I'm existing!" : "I'm NOT existing!";
It will print "I'm existing!" if the user logged in and "I'm NOT existing!" if the user didn't log in. All the $_SESSION variables are available across the php files until the server gets the SESSION ID from the browser (which is a cookie). Cookies are automatically sent if you calling the same domain.
So, I'm using the following Ruby scripts to make bulk changes to user permissions: https://github.com/RallyTools/Rally-User-Management
My issue is that I need to put this code on a server where other people might be able to access it, and I want to change the my_vars.rb file to hold my credentials in the form of an API key instead of my username and password.
Is this possible? Because it doesn't seem as simple as removing the username and password lines, and replacing those lines with one for an API key
The rally_api gem's documentation shows example of creating a connection with ApiKey in the Usage section. The user management utility is based on this gem.
#Using api keys? -- currently rally1 only
Go to https://rally1.rallydev.com/login
You can generate an api key on this site and use it *instead* of username and password
config = {:base_url => "https://rally1.rallydev.com/slm"}
config[:api_key] = "_your_api_key_from_https://rally1.rallydev.com/login"
config[:workspace] = "Workspace Name"
config[:project] = "Project Name"
config[:headers] = headers #from RallyAPI::CustomHttpHeader.new()
The commit history shows that rally_api started to support ApiKey authentication in version 1.0
I am setting up openLDAP for one of my Java applications. Usernames and passwords are stored in openLDAP and users are able to update their passwords via the application (using the javax.naming.directory API'). I imported our users from our existing Sun Directory Server into openLDAP. Import was successfull and passwords were encrypted in SSHA format. I noticed that when i update a password from the application, it stores it in 'Plain Text' format. I can unhide the password when i view it via Apache Directory Studio. A lot of googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf file and that didn't help me either. I am on a windows environment. I am passing the password to openLDAP in plain text format. There is no encryption going on in the code. I know i can encrypt it in the application but i would prefer openLDAP to do it for me. Please let me know if i can do anything on the openLDAP side.
This is the JAVA code i use today to modify passwords. This has been working fine in our existing environment for the past 7 years.
ModificationItem[] newAttribs = new ModificationItem[1];
Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password);
ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib);
newAttribs[0] = passwordItem;
.....
DirContext ctx = this.getContext();
ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," + ou, newAttribs);
So, the default password hash format in openldap is SSHA, which is nice.
Unfortunately, the default password policy in openldap is 'do not enforce password hashing'.
You will want to add an overlay to the database you're storing users in.
In the cn=config version, this looks like, approximately:
dn: olcOverlay={X}ppolicy,olcDatabase={Y}bdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {X}ppolicy
olcPPolicyHashCleartext: TRUE
(where Y is your database number in cn=config, X is the overlay number you want it to be)
The slapd.conf version is similar, you need an:
overlay ppolicy
ppolicy_hash_cleartext
entry, inside the relevant database definition (you don't need to provide a value for ppolicy_hash_cleartext, presence indicates TRUE).
Using either the phpass test program http://www.openwall.com/phpass/phpass-0.3.tar.gz , or python-phpass, and using C?*|Y[j"KQ'%gf for the plain text password, and $P$9kS6tD8tVxajypvJ5837.bt2emepD8/ as the hash, doing:
<?php
#
# This is a test program for the portable PHP password hashing framework.
#
# Written by Solar Designer and placed in the public domain.
# See PasswordHash.php for more information.
#
require 'PasswordHash.php';
header('Content-type: text/plain');
$t_hasher = new PasswordHash(8, FALSE);
$correct2 = 'C?*|Y[j"KQ\'%gf';
$hash2 = '$P$9kS6tD8tVxajypvJ5837.bt2emepD8/';
print 'Hash: [' . $hash2 . "]\n";
print 'correct: [' . $correct2 . "]\n";
$check = $t_hasher->CheckPassword($correct2, $hash2);
if ($check)
{
print "Check IF THIS WORKScorrect: '" . $check . "' (should be '1')\n";
}
else
{
print "IT FAILED!!!!!!!!\n\n\n";
}
?>
The hash was from phpBB3 (3.0.10), and when I supply that password to phpBB3, it does work correctly.
phpBB3 is supposed to be using phpass itself, doing $H$ instead of $P$.
The database entry in phpBB3 for this example is:
qlc4pi000000";0;"127.0.0.1";1351902499;"testpass";"testpass";"$H$9kS6tD8tVxajypvJ5837.bt2emepD8/";1351902499;0;"tp#inva.lid.com";266402289712;"''";1351902544;1351902499;0;"''";"''";0;0;0;0;0;0;0;"en";0.00;0;"D M d, Y g:i a";2;0;"''";0;0;0;0;-3;0;0;"t";"d";0;"t";"a";0;1;0;1;1;1;1;230271;"''";0;0;0;"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"bf4ae169a5a21313";1;0;0
The plain text password used in phpBB3 is [C?*|Y[j"KQ'%gf] and the hash (converted from phpBB3 format is [$P$9kS6tD8tVxajypvJ5837.bt2emepD8/] (both password & hash are between the [])
Can anyone shed some light on what is going on, and why this doesn't work with phpass ?
This is on the same machine that the forums are on, and again, it does work on the phpBB3 forums, so I can login fine. It just I can't authenticate with phpass externally when I access the phpBB3 database directly. It does work on other accounts though, it is only certain accounts it fails on.
Turns out the issue is, phpBB3 converts the password to use html escape codes.
Now, once the password is converted, it matches the hash stored in phpBB3.
The phpBB3 most likely applies PHP function htmlspecialchars (with no flags) to the password.
This fact noted by phpBoing was also noticed in discussion of question https://stackoverflow.com/a/12543884/1148030 .
The nonstandard identifier $H$ is useful. When $H$ is present implementation can know to apply escaping to support phpBB3.